#2078 [RFE] Support AD users from a trusted forest in sssd-ad provider
Opened 6 years ago by dpal. Modified a year ago

Use case:

- AD forests A, B
- Forests are in trust relationship
- Linux system is joined into forest A using sssd-ad
- Users from root and subdomains of the B should be able to log in into the system using SSSD and their identity and group membership should be resolvable.

The feature should support both cases:
- No POSIX attributes in AD - user POSIX IDs are mapped on the fly
- Leverage POSIX attributes from AD


Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.13 beta
rhbz: => todo

Fields changed

mark: => 1

Fields changed

milestone: SSSD 1.13 beta => SSSD 1.13 backlog

Mass-moving tickets not planned for the 1.13 release to 1.14

milestone: SSSD 1.13 backlog => SSSD 1.14 beta

This needs cooperation with winbind which won't happen in the next couple of months.

milestone: SSSD 1.14 beta => SSSD 1.15 beta
sensitive: => 0

Metadata Update from @dpal:
- Issue set to the milestone: SSSD Future releases (no date set yet)

2 years ago

Hello,
Are we able to seek colab with winbind, it's around a year now..
Thanks

Is there a recommended workaround to resolve this use case? Or do all machines and all users have to be members of both domains in the example, Domain A and Domain B?

Yes, that's one way. The other is to use IDM and establish trust against both domains. And of course another way is to use winbind..

Metadata Update from @jhrozek:
- Custom field design_review reset (from 0)
- Custom field mark adjusted to on (was: 1)
- Custom field patch reset (from 0)
- Custom field review reset (from 0)
- Custom field sensitive reset (from 0)
- Custom field testsupdated reset (from 0)
- Issue close_status updated to: None

2 years ago

Are there any plans to work on this issue? The current workarounds wont work for me due to security issues(both domains) and infrastructure changes(IPA).

I am also curious if and when there are plans to address this. Cross domain trusts are very common in scenarios where companies acquire other companies or in our case our Architects decided to create an entirely separate resource domain for the Cloud.

Thank You

Currently nobody is working on this and frankly I don't think anybody will in the near future. The options outside SSSD are either IPA with trusts or winbind.

Metadata Update from @jhrozek:
- Custom field design_review reset (from false)
- Custom field patch reset (from false)
- Custom field review reset (from false)
- Custom field sensitive reset (from false)
- Custom field testsupdated reset (from false)

a year ago

I am also curious if and when there are plans to address this. Cross domain trusts are very common in scenarios where companies acquire other companies or in our case our Architects decided to create an entirely separate resource domain for the Cloud.
Thank You

FWIW, my solution/workaround was to use Centrify Express in place of SSSD. This was on Ubuntu 14.04. Centos/RedHat systems may have better SSSD implementations, not sure.

Login to comment on this ticket.

Metadata